Explore the latest developments in Software-Defined Radio (SDR) and toll booth reverse engineering in this 58-minute conference talk from BSides Columbus 2019. Delve into the E-Z Pass system, comparing protocols and examining interoperability updates. Learn about the original challenge, FCC ID identification, and specification hunting. Gain insights into key communication sequences, frequencies, and modulation types like On-Off Keying (OOK) and Manchester encoding. Discover essential tools and understand IQ data, GNU Radio, and FFT analysis. Investigate reader transponder strength complications, packet processing, and dissection techniques. Examine amplitude modulation from a transmitter perspective and explore original readers. Discuss potential attack vectors, the importance of this research, and the future of toll groups in the US. Conclude with valuable lessons learned and participate in a Q&A session.
Overview
Syllabus
Intro
Presentation Goals
E-Z Pass System
Comparison of Protocols
Interoperability Updates
Original Challenge
First Steps - FCC ID
Specification Hunting
Specification Key Information
Specification - Communication Sequence
Specification - Frequencies
Modulation Types
On-Off Keying (OOK)
Manchester encoding
Tools
IQ Data - What is actually recorded?
GNU Radio - FFT
Why FFT?
Stuck at Almost Manchester
Clock Recovery MM
Reader Transponder Strength Complications
Packet Processing
Packet Dissection - Specification
IAG File Agreements
Dissector - Current State
Packet Dissector Demo
Amplitude Modulation - TX View
Original Readers
Reverse, Reverse!
Output Strength
Solution
Attack Vectors
E-ZPass Call (or, the Alternative Benefits of CYA)
Importance Revisited
What's Next?
Future of Toll Groups in the US
Lessons Learned
Questions?
